x/pkgsite: linkify vulnerability aliases

[neild]

The "Aliases" section for vulnerability reports should make CVE and GHSA IDs into links.

We should also stop adding these links to the "References" section of the OSV data by default. We do want to manually include advisory links on occasion, but we shouldn't put a CVE/GHSA link in the references just because the advisory aliases reference it; that's redundant and it's better to generate the link at display time if desired.

[gopherbot]

Change https://go.dev/cl/426034 mentions this issue: all: do not add CVE/GHSA links to references

[neild]

...actually the CVE/GHSA IDs are already links at HEAD, so just need to stop putting links in the refs section.